Encapsulation is an approach commonly used in networking to enhance services offered by a network to its clients. Many standardized encapsulation mechanisms have been defined, such as the Internet Security Protocol (IPsec), Internet Protocol in Internet Protocol (IP-in-IP), and Generic Routing Encapsulation (GRE). In all cases, an existing packet is taken, wrapped in a new packet, which is potentially based on a different protocol, and transmitted over the network. The wrapped, or encapsulated, packets make it appear as if all traffic being generated by the system is of a single protocol type. This makes it possible for new protocols to be deployed over an existing network without requiring all of the devices in the network be upgraded to support the new protocol. Today, encapsulation is used to provide security for client traffic using protocols such as IPsec to create a Virtual Private Network (VPN); provide IP version 6 (IPv6) support to IP version 4 (IPv4) networks using protocols such as 6in4, Teredo, and 6to4; and allow networks with conflicting address spaces to run over the same network using protocols such as GRE or IP-in-IP.
When an application initiates a connection to a remote device, it uses a “transport” protocol to organize the data. This transport protocol is run over a “network” protocol, traditionally IPv4. This combination of protocol layers is commonly referred to as the Open Systems Interconnection (OSI) network model. Hosts are identified by unique network addresses and applications use specified transport addresses to distinguish themselves from other applications running on the same host. The combination of source network and transport addresses, transport protocol, and destination network and transport addresses is referred to as a flow.
Network monitoring equipment typically operates on flows. Data for the flow is packetized. Referring to FIG. 1, a packet is illustrated generally by numeral 100. The data is separated into a plurality of data chunks, each data chunk forming a payload 104 of a corresponding packet 100. Each packet 100 has one or more flow headers 102. The flow headers include a network header 102a containing network addresses for the application and a transport header 102b containing transport addresses for the application. In a TCP/IP example, the network addresses include a destination IP address and a source IP address. The transport addresses include a destination port and a source port.
For each packet, network monitoring equipment evaluates the flow headers 102 and different operations are performed based upon a set of predefined rules. For example, certain flows may be blocked by firewalls, throttled by quality-of-service enforcers, or redirected by proxies. One assumption underlying the design of the network monitoring equipment is that the network and transport addresses are in the same location in every packet 100. This assumption makes it possible to offload much of the packet processing logic into hardware.
When the packet 100 is encapsulated, however, the flow headers 102 are obscured. Referring to FIG. 2, an encapsulated packet is illustrated generally by numeral 200. The original packet 100, inclusive of the flow headers 102 as well as the payload 104, is wrapped in encapsulation headers 202. The encapsulation headers include encapsulation flow headers 204 and a custom encapsulation header 206. The custom encapsulation header contains additional encapsulation information, such as routing or encryption information. The encapsulation flow headers 204 define an encapsulation tunnel and include an encapsulation network header 204a containing network addresses for the encapsulation tunnel and an encapsulation transport header 204b containing transport addresses for the encapsulation tunnel.
It is not possible for the network monitoring equipment to evaluate the encapsulated packets using the predefined rules because the flow headers being inspected represent the encapsulation tunnel rather than the original flow.
While it is theoretically possible for the network monitoring equipment to interpret the encapsulation scheme and examine the encapsulated packet to identify the flow, this is rarely done because of the number of different encapsulation systems that can be encountered. The number of different encapsulation systems also grows significantly as the system is scaled. Because of this, the computational power required to check every packet for encapsulated traffic would slow down existing systems considerably.
Accordingly, it is an object of the present invention to obviate or mitigate at least some of these disadvantages.